cdbbe3216b9f6f04191e01c6b26329e7db0ec798524560965c335776a5900e59

Analysis

max time kernel
155s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2023 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.603a8c29907150fe09a361a5aabd8a00.exe
Size

39KB
MD5

603a8c29907150fe09a361a5aabd8a00
SHA1

47da16f75c05fdc000a4845d360177654b5733b8
SHA256

cdbbe3216b9f6f04191e01c6b26329e7db0ec798524560965c335776a5900e59
SHA512

c4106dd1464aad6736205ab0ae19f2a77599c33d6a7d642caef4ede5fe814880870309027d47085c48e4ba410af6d5219e776786feab5595c41c57f2bf28498b
SSDEEP

768:45ZFuzgxucryOmJQqO3VhDWiNlW+O96QhlqZU9jTuMdeNvEO:4579ucrFmJQqO3VhDWiC+i6Q/jaMdCv5

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation	NEAS.603a8c29907150fe09a361a5aabd8a00.exe

Executes dropped EXE 1 IoCs

pid	Process
440	hhcbrnaff.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 440	4596	NEAS.603a8c29907150fe09a361a5aabd8a00.exe	87
PID 4596 wrote to memory of 440	4596	NEAS.603a8c29907150fe09a361a5aabd8a00.exe	87
PID 4596 wrote to memory of 440	4596	NEAS.603a8c29907150fe09a361a5aabd8a00.exe	87

C:\Users\Admin\AppData\Local\Temp\NEAS.603a8c29907150fe09a361a5aabd8a00.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.603a8c29907150fe09a361a5aabd8a00.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe
  "C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe"
  2⤵
  - Executes dropped EXE
  PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe

Filesize
39KB

MD5
8e354a279186960a523fc2b890198c71

SHA1
c9f176f7f9b39f2a883ca8135bbd4c5b71e20619

SHA256
516af66a590d4ac50cca346898f419a2b30a2c51419f000b2ba281d1fc3e05a7

SHA512
c792569db9e06e188c020a2d35060c23bf22ccad6c0fa61661e826944b82796f8e65c89f7c668222c34569fb7d698da6920fe4fcbb393aa04c12350c85f77b3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe

Filesize
39KB

MD5
8e354a279186960a523fc2b890198c71

SHA1
c9f176f7f9b39f2a883ca8135bbd4c5b71e20619

SHA256
516af66a590d4ac50cca346898f419a2b30a2c51419f000b2ba281d1fc3e05a7

SHA512
c792569db9e06e188c020a2d35060c23bf22ccad6c0fa61661e826944b82796f8e65c89f7c668222c34569fb7d698da6920fe4fcbb393aa04c12350c85f77b3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe

Filesize
39KB

MD5
8e354a279186960a523fc2b890198c71

SHA1
c9f176f7f9b39f2a883ca8135bbd4c5b71e20619

SHA256
516af66a590d4ac50cca346898f419a2b30a2c51419f000b2ba281d1fc3e05a7

SHA512
c792569db9e06e188c020a2d35060c23bf22ccad6c0fa61661e826944b82796f8e65c89f7c668222c34569fb7d698da6920fe4fcbb393aa04c12350c85f77b3d

Download Submit
memory/440-11-0x00000000007F0000-0x00000000007F6000-memory.dmp

Filesize
24KB

Download
memory/4596-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4596-2-0x0000000000A40000-0x0000000000A46000-memory.dmp

Filesize
24KB

Download
memory/4596-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download